rpms/selinux-policy/F-8 booleans-targeted.conf, 1.34, 1.35 policy-20070703.patch, 1.137, 1.138 selinux-policy.spec, 1.579, 1.580
Daniel J Walsh (dwalsh)
fedora-extras-commits at redhat.com
Sat Nov 17 11:31:06 UTC 2007
Author: dwalsh
Update of /cvs/extras/rpms/selinux-policy/F-8
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv17603
Modified Files:
booleans-targeted.conf policy-20070703.patch
selinux-policy.spec
Log Message:
* Fri Nov 16 2007 Dan Walsh <dwalsh at redhat.com> 3.0.8-57
- Allow lvm to search mnt
- Add booleans for xguest account
xguest_mount_media
xguest_connect_network
xguest_use_bluetooth
Index: booleans-targeted.conf
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-8/booleans-targeted.conf,v
retrieving revision 1.34
retrieving revision 1.35
diff -u -r1.34 -r1.35
--- booleans-targeted.conf 9 Nov 2007 19:42:58 -0000 1.34
+++ booleans-targeted.conf 17 Nov 2007 11:30:22 -0000 1.35
@@ -258,3 +258,15 @@
# Allow postfix locat to write to mail spool
#
allow_postfix_local_write_mail_spool=true
+
+# Allow xguest to mount usb devices
+#
+xguest_mount_media=true
+
+# Allow xguest to manage network connections
+#
+xguest_connect_network=true
+
+# Allow xguest to use bluetooth devices
+#
+xguest_use_bluetooth=true
policy-20070703.patch:
View full diff with command:
/usr/bin/cvs -f diff -kk -u -N -r 1.137 -r 1.138 policy-20070703.patch
Index: policy-20070703.patch
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-8/policy-20070703.patch,v
retrieving revision 1.137
retrieving revision 1.138
diff -u -r1.137 -r1.138
--- policy-20070703.patch 15 Nov 2007 21:24:52 -0000 1.137
+++ policy-20070703.patch 17 Nov 2007 11:30:22 -0000 1.138
@@ -3994,7 +3994,7 @@
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.fc serefpolicy-3.0.8/policy/modules/kernel/devices.fc
--- nsaserefpolicy/policy/modules/kernel/devices.fc 2007-10-22 13:21:42.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/kernel/devices.fc 2007-11-14 09:49:45.000000000 -0500
++++ serefpolicy-3.0.8/policy/modules/kernel/devices.fc 2007-11-16 13:24:55.000000000 -0500
@@ -4,6 +4,7 @@
/dev/.*mouse.* -c gen_context(system_u:object_r:mouse_device_t,s0)
@@ -4003,41 +4003,95 @@
/dev/(misc/)?agpgart -c gen_context(system_u:object_r:agp_device_t,s0)
/dev/aload.* -c gen_context(system_u:object_r:sound_device_t,s0)
/dev/amidi.* -c gen_context(system_u:object_r:sound_device_t,s0)
-@@ -20,6 +21,7 @@
+@@ -14,22 +15,29 @@
+ /dev/beep -c gen_context(system_u:object_r:sound_device_t,s0)
+ /dev/dmfm -c gen_context(system_u:object_r:sound_device_t,s0)
+ /dev/dsp.* -c gen_context(system_u:object_r:sound_device_t,s0)
++/dev/gtrsc.* -c gen_context(system_u:object_r:clock_device_t,s0)
++/dev/pcfclock.* -c gen_context(system_u:object_r:clock_device_t,s0)
+ /dev/efirtc -c gen_context(system_u:object_r:clock_device_t,s0)
+ /dev/em8300.* -c gen_context(system_u:object_r:v4l_device_t,s0)
+ /dev/event.* -c gen_context(system_u:object_r:event_device_t,s0)
/dev/evtchn -c gen_context(system_u:object_r:xen_device_t,s0)
/dev/fb[0-9]* -c gen_context(system_u:object_r:framebuf_device_t,s0)
/dev/full -c gen_context(system_u:object_r:null_device_t,s0)
+/dev/[0-9].* -c gen_context(system_u:object_r:usb_device_t,s0)
/dev/fw.* -c gen_context(system_u:object_r:usb_device_t,s0)
++/dev/hfmodem -c gen_context(system_u:object_r:sound_device_t,s0)
/dev/hiddev.* -c gen_context(system_u:object_r:usb_device_t,s0)
/dev/hpet -c gen_context(system_u:object_r:clock_device_t,s0)
-@@ -30,6 +32,7 @@
+ /dev/hw_random -c gen_context(system_u:object_r:random_device_t,s0)
+ /dev/hwrng -c gen_context(system_u:object_r:random_device_t,s0)
+ /dev/i915 -c gen_context(system_u:object_r:dri_device_t,s0)
+ /dev/irlpt[0-9]+ -c gen_context(system_u:object_r:printer_device_t,s0)
++/dev/elographics/e2201 -c gen_context(system_u:object_r:mouse_device_t,s0)
/dev/js.* -c gen_context(system_u:object_r:mouse_device_t,s0)
/dev/kmem -c gen_context(system_u:object_r:memory_device_t,mls_systemhigh)
++/dev/mergemem -c gen_context(system_u:object_r:memory_device_t,mls_systemhigh)
/dev/kmsg -c gen_context(system_u:object_r:kmsg_device_t,mls_systemhigh)
+/dev/kvm -c gen_context(system_u:object_r:kvm_device_t,mls_systemhigh)
/dev/logibm -c gen_context(system_u:object_r:mouse_device_t,s0)
/dev/lp.* -c gen_context(system_u:object_r:printer_device_t,s0)
/dev/mcelog -c gen_context(system_u:object_r:kmsg_device_t,mls_systemhigh)
-@@ -49,6 +52,7 @@
+@@ -41,6 +49,11 @@
+ /dev/mmetfgrab -c gen_context(system_u:object_r:scanner_device_t,s0)
+ /dev/mpu401.* -c gen_context(system_u:object_r:sound_device_t,s0)
+ /dev/null -c gen_context(system_u:object_r:null_device_t,s0)
++
++/dev/opengl -c gen_context(system_u:object_r:xserver_misc_device_t,s0)
++/dev/gfx -c gen_context(system_u:object_r:xserver_misc_device_t,s0)
++/dev/3dfx -c gen_context(system_u:object_r:xserver_misc_device_t,s0)
++/dev/graphics -c gen_context(system_u:object_r:xserver_misc_device_t,s0)
+ /dev/nvidia.* -c gen_context(system_u:object_r:xserver_misc_device_t,s0)
+ /dev/nvram -c gen_context(system_u:object_r:nvram_device_t,mls_systemhigh)
+ /dev/oldmem -c gen_context(system_u:object_r:memory_device_t,mls_systemhigh)
+@@ -49,6 +62,9 @@
/dev/pmu -c gen_context(system_u:object_r:power_device_t,s0)
/dev/port -c gen_context(system_u:object_r:memory_device_t,mls_systemhigh)
/dev/(misc/)?psaux -c gen_context(system_u:object_r:mouse_device_t,s0)
+/dev/dmmidi.* -c gen_context(system_u:object_r:sound_device_t,s0)
++/dev/inportbm -c gen_context(system_u:object_r:mouse_device_t,s0)
++/dev/jbm -c gen_context(system_u:object_r:mouse_device_t,s0)
/dev/rmidi.* -c gen_context(system_u:object_r:sound_device_t,s0)
/dev/radeon -c gen_context(system_u:object_r:dri_device_t,s0)
/dev/radio.* -c gen_context(system_u:object_r:v4l_device_t,s0)
-@@ -98,6 +102,7 @@
+@@ -65,9 +81,11 @@
+ /dev/sonypi -c gen_context(system_u:object_r:v4l_device_t,s0)
+ /dev/tlk[0-3] -c gen_context(system_u:object_r:v4l_device_t,s0)
+ /dev/urandom -c gen_context(system_u:object_r:urandom_device_t,s0)
++/dev/ub[a-c] -c gen_context(system_u:object_r:usb_device_t,s0)
+ /dev/usbmon[0-9]+ -c gen_context(system_u:object_r:usb_device_t,s0)
+ /dev/usbdev.* -c gen_context(system_u:object_r:usb_device_t,s0)
+ /dev/usb[0-9]+ -c gen_context(system_u:object_r:usb_device_t,s0)
++/dev/usb/.+ -c gen_context(system_u:object_r:usb_device_t,s0)
+ /dev/usblp.* -c gen_context(system_u:object_r:printer_device_t,s0)
+ ifdef(`distro_suse', `
+ /dev/usbscanner -c gen_context(system_u:object_r:scanner_device_t,s0)
+@@ -95,11 +113,21 @@
+ /dev/dvb/.* -c gen_context(system_u:object_r:v4l_device_t,s0)
+
+ /dev/input/.*mouse.* -c gen_context(system_u:object_r:mouse_device_t,s0)
++/dev/input/keyboard.* -c gen_context(system_u:object_r:event_device_t,s0)
/dev/input/event.* -c gen_context(system_u:object_r:event_device_t,s0)
/dev/input/mice -c gen_context(system_u:object_r:mouse_device_t,s0)
/dev/input/js.* -c gen_context(system_u:object_r:mouse_device_t,s0)
+/dev/input/uinput -c gen_context(system_u:object_r:event_device_t,s0)
++/dev/pc110pad -c gen_context(system_u:object_r:mouse_device_t,s0)
++/dev/vrtpanel -c gen_context(system_u:object_r:mouse_device_t,s0)
++/dev/touchscreen/ucb1x00 -c gen_context(system_u:object_r:mouse_device_t,s0)
++/dev/touchscreen/mk712 -c gen_context(system_u:object_r:mouse_device_t,s0)
++/dev/lik.* -c gen_context(system_u:object_r:event_device_t,s0)
++/dev/bometric/sensor.* -c gen_context(system_u:object_r:event_device_t,s0)
/dev/mapper/control -c gen_context(system_u:object_r:lvm_control_t,s0)
++/dev/mga_vid.* -c gen_context(system_u:object_r:xserver_misc_device_t,s0)
++/dev/mvideo/.* -c gen_context(system_u:object_r:xserver_misc_device_t,s0)
+
+ /dev/pts(/.*)? <<none>>
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.if serefpolicy-3.0.8/policy/modules/kernel/devices.if
--- nsaserefpolicy/policy/modules/kernel/devices.if 2007-10-22 13:21:41.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/kernel/devices.if 2007-11-12 23:22:11.000000000 -0500
++++ serefpolicy-3.0.8/policy/modules/kernel/devices.if 2007-11-16 13:36:12.000000000 -0500
@@ -65,7 +65,7 @@
relabelfrom_dirs_pattern($1,device_t,device_node)
@@ -4072,7 +4126,23 @@
## Allow full relabeling (to and from) of directories in /dev.
## </summary>
## <param name="domain">
-@@ -1306,6 +1324,44 @@
+@@ -667,6 +685,7 @@
+ ')
+
+ dontaudit $1 device_node:blk_file getattr;
++ dev_dontaudit_getattr_generic_blk_files($1)
+ ')
+
+ ########################################
+@@ -704,6 +723,7 @@
+ ')
+
+ dontaudit $1 device_node:chr_file getattr;
++ dev_dontaudit_getattr_generic_chr_files($1)
+ ')
+
+ ########################################
+@@ -1306,6 +1326,44 @@
########################################
## <summary>
@@ -4117,7 +4187,7 @@
## Read input event devices (/dev/input).
## </summary>
## <param name="domain">
-@@ -1623,6 +1679,78 @@
+@@ -1623,6 +1681,78 @@
########################################
## <summary>
@@ -4259,7 +4329,7 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.te serefpolicy-3.0.8/policy/modules/kernel/domain.te
--- nsaserefpolicy/policy/modules/kernel/domain.te 2007-10-22 13:21:42.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/kernel/domain.te 2007-11-12 15:59:14.000000000 -0500
++++ serefpolicy-3.0.8/policy/modules/kernel/domain.te 2007-11-16 09:41:59.000000000 -0500
@@ -6,6 +6,22 @@
# Declarations
#
@@ -4297,7 +4367,7 @@
# Use trusted objects in /dev
dev_rw_null(domain)
-@@ -134,3 +154,32 @@
+@@ -134,3 +154,31 @@
# act on all domains keys
allow unconfined_domain_type domain:key *;
@@ -4326,7 +4396,6 @@
+optional_policy(`
+ rpm_rw_pipes(domain)
+')
-+
+optional_policy(`
+ unconfined_dontaudit_rw_pipes(domain)
+')
@@ -4345,7 +4414,7 @@
/usr/src/kernels/.+/lib(/.*)? gen_context(system_u:object_r:usr_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-3.0.8/policy/modules/kernel/files.if
--- nsaserefpolicy/policy/modules/kernel/files.if 2007-10-22 13:21:41.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/kernel/files.if 2007-11-13 21:17:02.000000000 -0500
++++ serefpolicy-3.0.8/policy/modules/kernel/files.if 2007-11-16 17:46:24.000000000 -0500
@@ -343,8 +343,7 @@
########################################
@@ -5099,17 +5168,6 @@
## Do not audit attempts to list unlabeled directories.
## </summary>
## <param name="domain">
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.te serefpolicy-3.0.8/policy/modules/kernel/kernel.te
---- nsaserefpolicy/policy/modules/kernel/kernel.te 2007-10-22 13:21:42.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/kernel/kernel.te 2007-10-30 19:49:01.000000000 -0400
-@@ -278,6 +278,7 @@
-
- optional_policy(`
- logging_send_syslog_msg(kernel_t)
-+ logging_unconfined(kernel_t)
- ')
[...1993 lines suppressed...]
optional_policy(`
@@ -16517,6 +16496,10 @@
+')
+
+optional_policy(`
++ unconfined_domain(lvm_t)
++')
++
++optional_policy(`
udev_read_db(lvm_t)
')
+
@@ -16911,7 +16894,7 @@
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.if serefpolicy-3.0.8/policy/modules/system/selinuxutil.if
--- nsaserefpolicy/policy/modules/system/selinuxutil.if 2007-10-22 13:21:40.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/system/selinuxutil.if 2007-11-10 07:25:22.000000000 -0500
++++ serefpolicy-3.0.8/policy/modules/system/selinuxutil.if 2007-11-16 17:44:12.000000000 -0500
@@ -585,7 +585,7 @@
type selinux_config_t;
')
@@ -17743,7 +17726,7 @@
+/usr/bin/sbcl -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.if serefpolicy-3.0.8/policy/modules/system/unconfined.if
--- nsaserefpolicy/policy/modules/system/unconfined.if 2007-10-22 13:21:40.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/system/unconfined.if 2007-11-14 09:50:10.000000000 -0500
++++ serefpolicy-3.0.8/policy/modules/system/unconfined.if 2007-11-16 17:33:54.000000000 -0500
@@ -12,14 +12,13 @@
#
interface(`unconfined_domain_noaudit',`
@@ -17778,18 +17761,7 @@
kernel_unconfined($1)
corenet_unconfined($1)
-@@ -79,6 +79,10 @@
- ')
-
- optional_policy(`
-+ logging_unconfined($1)
-+ ')
-+
-+ optional_policy(`
- nscd_unconfined($1)
- ')
-
-@@ -399,12 +403,11 @@
+@@ -399,12 +399,11 @@
########################################
## <summary>
@@ -17804,7 +17776,7 @@
## </summary>
## </param>
#
-@@ -413,9 +416,10 @@
+@@ -413,9 +412,10 @@
type unconfined_t;
')
@@ -17816,7 +17788,7 @@
########################################
## <summary>
## Connect to the unconfined domain using
-@@ -437,6 +441,25 @@
+@@ -437,6 +437,25 @@
########################################
## <summary>
@@ -17842,7 +17814,7 @@
## Do not audit attempts to read or write
## unconfined domain tcp sockets.
## </summary>
-@@ -558,7 +581,7 @@
+@@ -558,7 +577,7 @@
')
files_search_home($1)
@@ -17851,7 +17823,7 @@
read_files_pattern($1,{ unconfined_home_dir_t unconfined_home_t },unconfined_home_t)
read_lnk_files_pattern($1,{ unconfined_home_dir_t unconfined_home_t },unconfined_home_t)
')
-@@ -601,3 +624,216 @@
+@@ -601,3 +620,216 @@
allow $1 unconfined_tmp_t:file { getattr write append };
')
@@ -18330,7 +18302,7 @@
/tmp/gconfd-USER -d gen_context(system_u:object_r:ROLE_tmp_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.0.8/policy/modules/system/userdomain.if
--- nsaserefpolicy/policy/modules/system/userdomain.if 2007-10-22 13:21:40.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/system/userdomain.if 2007-11-14 14:05:33.000000000 -0500
++++ serefpolicy-3.0.8/policy/modules/system/userdomain.if 2007-11-16 17:13:34.000000000 -0500
@@ -29,8 +29,9 @@
')
@@ -19085,7 +19057,7 @@
+## </summary>
+## </param>
+#
-+template(`userdom_unpriv_login_user', `
++template(`userdom_restricted_user_template',`
+ gen_require(`
+ attribute unpriv_userdomain;
+ attribute privhome, user_ptynode, user_home_dir_type, user_home_type, user_tmpfile, user_ttynode;
@@ -19128,8 +19100,8 @@
+## </param>
+#
+template(`userdom_unpriv_user_template', `
++ userdom_restricted_user_template($1)
+
-+ userdom_unpriv_login_user($1)
+
+ # Find CDROM devices:
+ kernel_read_device_sysctls($1_t)
@@ -19622,7 +19594,7 @@
+## </summary>
+## </param>
+#
-+template(`userdom_unpriv_xwindows_login_user', `
++template(`userdom_restricted_xwindows_user_template', `
+
+userdom_unpriv_login_user($1)
+# Should be optional but policy will not build because of compiler problems
@@ -20244,11 +20216,12 @@
+## <summary>Policy for guest user</summary>
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/guest.te serefpolicy-3.0.8/policy/modules/users/guest.te
--- nsaserefpolicy/policy/modules/users/guest.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.0.8/policy/modules/users/guest.te 2007-11-08 09:00:10.000000000 -0500
-@@ -0,0 +1,3 @@
-+policy_module(guest,1.0.0)
-+userdom_unpriv_login_user(guest)
-+userdom_unpriv_login_user(gadmin)
++++ serefpolicy-3.0.8/policy/modules/users/guest.te 2007-11-16 17:15:41.000000000 -0500
+@@ -0,0 +1,4 @@
++policy_module(guest,1.0.1)
++userdom_restricted_user_template(guest)
++userdom_restricted_user_template(gadmin)
++
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/logadm.fc serefpolicy-3.0.8/policy/modules/users/logadm.fc
--- nsaserefpolicy/policy/modules/users/logadm.fc 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.0.8/policy/modules/users/logadm.fc 2007-10-29 23:59:29.000000000 -0400
@@ -20348,18 +20321,52 @@
+## <summary>Policy for xguest user</summary>
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/xguest.te serefpolicy-3.0.8/policy/modules/users/xguest.te
--- nsaserefpolicy/policy/modules/users/xguest.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.0.8/policy/modules/users/xguest.te 2007-11-08 09:00:00.000000000 -0500
-@@ -0,0 +1,11 @@
-+policy_module(xguest,1.0.0)
-+userdom_unpriv_xwindows_login_user(xguest)
++++ serefpolicy-3.0.8/policy/modules/users/xguest.te 2007-11-16 17:11:08.000000000 -0500
+@@ -0,0 +1,45 @@
++policy_module(xguest,1.0.1)
++
++## <desc>
++## <p>
++## Allow xguest users to mount removable media
++## </p>
++## </desc>
++gen_tunable(xguest_mount_media,false)
++
++## <desc>
++## <p>
++## Allow xguest to configure Network Manager
++## </p>
++## </desc>
++gen_tunable(xguest_connect_network,false)
++
++## <desc>
++## <p>
++## Allow xguest to use blue tooth devices
++## </p>
++## </desc>
++gen_tunable(xguest_use_bluetooth,false)
++
++userdom_restricted_xwindows_user_template(xguest)
++
+mozilla_per_role_template(xguest, xguest_t, xguest_r)
++
+# Allow mounting of file systems
+optional_policy(`
-+ hal_dbus_chat(xguest_t)
++ tunable_policy(`xguest_mount_media',`
++ hal_dbus_chat(xguest_t)
++ ')
+')
+
+optional_policy(`
-+ bluetooth_dbus_chat(xguest_t)
++ tunable_policy(`xguest_connect_network',`
++ networkmanager_dbus_chat(xguest_t)
++ ')
++')
++
++optional_policy(`
++ tunable_policy(`xguest_use_bluetooth',`
++ bluetooth_dbus_chat(xguest_t)
++ ')
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/support/obj_perm_sets.spt serefpolicy-3.0.8/policy/support/obj_perm_sets.spt
--- nsaserefpolicy/policy/support/obj_perm_sets.spt 2007-10-22 13:21:43.000000000 -0400
Index: selinux-policy.spec
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-8/selinux-policy.spec,v
retrieving revision 1.579
retrieving revision 1.580
diff -u -r1.579 -r1.580
--- selinux-policy.spec 15 Nov 2007 21:24:52 -0000 1.579
+++ selinux-policy.spec 17 Nov 2007 11:30:22 -0000 1.580
@@ -17,7 +17,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.0.8
-Release: 56%{?dist}
+Release: 57%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -380,6 +380,13 @@
%endif
%changelog
+* Fri Nov 16 2007 Dan Walsh <dwalsh at redhat.com> 3.0.8-57
+- Allow lvm to search mnt
+- Add booleans for xguest account
+ xguest_mount_media
+ xguest_connect_network
+ xguest_use_bluetooth
+
* Thu Nov 15 2007 Dan Walsh <dwalsh at redhat.com> 3.0.8-56
- Remove /usr/sbin/gdm label
- Label gstreamer codecs in homedir as textrel_shlib_t
More information about the fedora-extras-commits
mailing list